New static IP

Ok, so your server has one ip (and localhost), 192.168.61.71.
And Bind is listening on that ip and localhost on tcp and udp port 53.
So Bind seems to be up and running.

But 192.168.61.71 is a private ip.
So you then must have a router/firewall in front of your server doing nat/port forwarding.
Check those rules. I'm almost certain that's causing your server to be unreachable.

Assuming the IP change only affected your router's WAN and you haven't changed anything on your LAN and server.
Otherwise it could also be a firewall issue on your server if you have one active.

 

Well yes I do have router a Draytek Vigor 2765. but have changed the IP addresses on it and have set up a DMZ direct from the Public IP to the private IP, so I cannot see how the firewall will have any effect.

 

Fair point. Nevertheless can't the outside world connect to your nameserver. Even though Bind is up and running.

Whether or not your zone has issues the world should be able to connect.
So if your Draytek isn't causing it then I can only think of a firewall on the server itself with incorrect or missing configuration.

First step needs to be resolving the connecting to Bind problems.
Only after resolving that it's possible to examen other problems you might be having with the zone.

 

It actually depends on your router, whether it is a home router or a commercial one. For me, I would try, port forwarding first. If it works, I will check the router's manual how to to make the same work for its DMZ i.e. without port forwarding.

 

Hi ahrasis

Thank you for the input.

I have tried both port forwarding and DMZ still not getting anything.

I noted that I can ping the IP addresses that has equipment connected to them.
Not that this helps.

But I think it should show the IP addresses are correctly connected to some degree.

The public traffic seems to be stopping dead as soon as it reaches my server. However, my private traffic i.e my local IP addresses are getting through and delivering my local web pages.

 

I mean take the server out from DMZ and keep it inside your LAN while port forwarding to it all the relevant ports as a test. If that works, you know you need to work out on how to properly setup your server in that router's DMZ.

 

Indeed the best way to go.
Delete all DMZ stuff in your router and set necessary port forwards only.
(that's tcp and udp port 53 for dns services)

And make sure you don't have any firewall rules that could interfere.
(I know Draytek like the back of my hand and therefor what faulty config can do)

If the outside world stil cannot connect to your nameserver then the problem is definitely your server.
Some kind of misconfigured firewalling, because yesterday we established that Bind is up and running.

 

if you're just trying to confirm external dns requests make it to your servers private ip.. stop bind altogether...
install netcat (nc) and have that listen to port 53 (udp).

then try to connect to that using netcat on a client machine...

https://jameshfisher.com/2018/03/04/create-udp-connection-with-netcat/

depending on your router/firewall, you may even be able to try this directly from there, rather than an external client machine.. which should indicate whether or not it's a dns/port forwarding config issue.. or a config / firewall issue directly on the dns server itself.

 

The every answer section has its own A-record for ispconfig and for another domain.
Moreover, the authority section has the ns-records.
In your case, it uses SOA-record.

I think, you have to figure out primarily of what is wrong with this SOA-record and why an A-record is absent.

For instance,
named-based binding for mamatuik.com:

Code:

$TTL        3600
@       IN      SOA     ns1.kommerz.center. drupal.mamatuik.com. (
                        2021031401       ; serial, todays date + todays serial #
                        7200              ; refresh, seconds
                        540              ; retry, seconds
                        604800              ; expire, seconds
                        3600 )            ; minimum, seconds
;

drupal 86400      A          139.99.89.218
mail 3600      A          139.99.89.218
mamatuik.com. 3600      A          139.99.89.218
www 3600      A          139.99.89.218
mamatuik.com 3600      AAAA       2402:1f00:8000:800:0:0:0:19d8
www 3600      AAAA       2402:1f00:8000:800:0:0:0:19d8
mamatuik.com. 3600      CAA        0 issue "letsencrypt.org"
mamatuik.com. 3600      MX     10  mail.mamatuik.com.
mamatuik.com. 3600      NS         ns1.kommerz.center.
mamatuik.com. 3600      NS         ns2.kommerz.center.
mamatuik.com. 3600      TXT        "v=spf1 mx a ~all"

whois me.uk - is OK

Code:

 Name servers:
        nsa.nic.uk.        156.154.100.3       2001:502:ad09::3
        nsb.nic.uk.        156.154.101.3       2001:502:2eda::3
        nsc.nic.uk.        156.154.102.3       2610:a1:1009::3
        nsd.nic.uk.        156.154.103.3       2610:a1:1010::3
        dns1.nic.uk.        213.248.216.1       2a01:618:400::1
        dns2.nic.uk.        103.49.80.1       2401:fd80:400::1
        dns3.nic.uk.        213.248.220.1       2a01:618:404::1
        dns4.nic.uk.        43.230.48.1       2401:fd80:404::1

but traceroute me.uk
me.uk: Name or service not known
Cannot handle "host" cmdline arg `me.uk' on position 1 (argc 1)

 

If I wasn't confused before, I am now. Even with all that info, I don't really know what to do with it. But thank you for providing it.
I have done a local dig using @192.168.61.72 gregson.me.uk and the strange thing is it is returning my old IP addresses.
I have removed the gregson.me.uk zone and recreated it. still to no avail.
Where is it getting the IP address from locally?

Code:

# dig @192.168.61.72 gregson.me.uk

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> @192.168.61.72 gregson.me.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48520
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f31bf728e7a1a4c1b6d9c0e163ff9bee6a2fe692aa75bf0f (good)
;; QUESTION SECTION:
;gregson.me.uk.                 IN      A
;; ANSWER SECTION:
gregson.me.uk.          3600    IN      A       212.159.96.42
;; AUTHORITY SECTION:
gregson.me.uk.          3600    IN      NS      ns1.gregson.me.uk.
gregson.me.uk.          3600    IN      NS      ns2.gregson.me.uk.
;; ADDITIONAL SECTION:
ns1.gregson.me.uk.      3600    IN      A       212.159.96.43
ns2.gregson.me.uk.      3600    IN      A       212.159.96.44
;; Query time: 3 msec
;; SERVER: 192.168.61.72#53(192.168.61.72)
;; WHEN: Wed Mar 01 18:39:42 GMT 2023
;; MSG SIZE  rcvd: 154

 

That shows the name server 192.168.61.72 is configured with the old IP addresses. Is that your ISPConfig name server? ISPConfig should take care of restarting or reloading name server when configuration was changed.

 

Yes it is, I thought it should take care of any changes but it has not.

I cannot figure it out.

I have a couple of other things I will try before I give up

 

I think, Mr. Till is laughing at us

@mrbronz , just show, please, the server-side dns-zone records (even front-end) for me.uk (?) either for gregson.me.uk

 

This is how it has always been and it has worked right up to the point the IP addresses where changed

 

it's unbelievable, how could it have been reached?

(seems, i do know nothing)
Anyway,
192.168.xxx.xxx - is always used as a private internet protocols (as @remkoh has already mentioned it).

And why is mrbronz.uk also added inside of your gregson.me.uk -zone?
How did you connect to your ISPConfig control panel earlier? What did you input inside of browser' address bar?

Your 'named' configuration only persists as a private tunnel.

The guys (Mr. Lehtonen and others) were right, that the problem is with your port forwarding also.
- you should understand, how your NAT is executed.

Oh, it's terrible, i have a lack of knowledge about this matter at all and never dealt... so sad.
https://access.redhat.com/documenta...irtual_networking-network_address_translation

Guess, iptables should be modified.

My cctv also works like port-forwarding with DMZ.
... and OpenVPN uses some similar technique to assign some private ip to your network adapter - to connect with the server, through which you exchange data with outer world.

 

but i am really disappointed, what for do you need to use a such complicated system with the private-ip rule enabled? very confused and much tangled

 

Correct I don't know much about this, nor do most people when they are starting out, It's not possible in my world to read a 100 books put them down then know everything your ever going to need.
This is a hobby for me and I enjoy tinkering.
The reason for mrbronz.uk domain as I was experimenting and forgot to remove that record.

I would like to thank you guys so much for all your help and input, you have been so patient with me and it is very much appreciated
But it seems I have completely messed this up so I have made the decision to rebuild all my servers from scratch.

Once again many thanks for all your help.

I may need your help in the future so watch this space

Thank you and all the best
Martin

 

All, you need: assign ns1,ns2 either dns1,dns2 records for your chosen domain at domain' provider.
And repeat steps from to-your-taste tutorials for Debian, Centos (my choice) or Ubuntu:

1. https://www.howtoforge.com/tutorial...sl-pureftpd-bind-postfix-doveot-and-ispconfig
2. https://www.howtoforge.com/tutorial...ql-php-pureftpd-postfix-dovecot-and-ispconfig
3. https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/

And a simple, non optimized server would have been ready for 1-2 or 3 hours

 

Sorry to hear that you have to rebuild your server from scratch but that will be a good experience though. My guess is however the same, so if you are running the server behind a NAT router again, do try with port forwarding first, and see how it goes.